If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

The network audit I am about ot undertake is large and I have taken your suggestions and downloaded the package. I will work with the network admins to get it out on the network so that I can start getting a feel for what I am truly up against.

I would like to continue posting my progress and finding if there is any interest?? If there is a different thread I should start or if I should just say thanks to you all and let this one archieve. Suggestions?

What are your thoughts about the IRS?....or did your CEO dung his strides at that as well

Findnewjobometer registers full scale deflection

You KNOW what I mean

EDIT: For those who do not understand, I am saying that those with a clear conscience have no fear of the authorities.....has it ocurred that the other guy might be the "victim"? albeit wrong in his actions?

Uno: a big network.... Good luck.... Post back here or PM me if you think I can give you any more help.

I would suggest that you create a log file on a secure server and have all the admins log everything they do, with their name and the date/time, what they did, why they did it and what the result was. That way, when it's all over and you haven't found anything you can go back and collate the whole thing to see what might have been missed, what might have been done improperly or not completed fully and what might have been misinterpreted as good when it was questionable.

Also, if you declare a box sound then I would put Zonealarm or something similar on it to lock it down some more, ensure all critical updates are installed, (You can do it nicely off a SUS server for free), and change the local admin password too. You don't want the bastige moving onto a clean machine behind you... Kinda defeats the whole point...

Findnewjobometer registers full scale deflection

I dunno Nihil..... This has the potential to be a very successful venture for uno. If he is thorough and ends up putting a stop to the leak, which clearly isn't something as bland as payroll records or the bosses wouldn't be so concerned about the publicity, then he can practically write his own check IMO...... Fun challenge too if his bosses give him free reign...

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Originally posted here by br_fusion Don't drag the FBI into this.......

Not even his crimes deserve the somewhat unfair wrath of the feds.

Unless you hate and despise the person, it is not worth throwing them in jail for 10+ years. If you have a good idea who it is, which it seems you do, try confronting the person and letting them know you are aware of their actions. (Or confront them in a less obvious way or even by an anonymous email).

cheers

Feds=last resort

In the beginning of what would turn out to be the 'gateway' of cyber-crime, I would have believed the feds to be the last resort because most things could've been worked out, etc. That being said, nowadays, they'd be the first group I'd bring in if the situation were not able to be solved in more conducive manners. Now, with new "virii" available every other day, new bugs, holes, and exploits running rampant, I wouldn't take the chance.

How is it unfair wrath? If you KNOWINGLY (and yes, they all know) try to compromise a network or pc with intent to exploit for further cause (trojan/mining/etc) or steal data and/or destroy the system in an attempt to hide your actions, then you deserve every ounce of the wrath of the authorities.

Because if I were to go after someone in a "less obvious way" (read: meet them in the back of a parking lot somewhere and handle business then), you can damned well be sure they'd press every assault & battery charge they could or more to not have me face the "undeserved wrath of the police". And confronting them to let them know of your awareness of their actions would be laughable at best. Most people who're willing to break the laws like that would probably respond with "Yeah, prove it" or "And I'll go public with your data" or "I'll destroy everything you have if you talk to the police". Bad idea there...

We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

FIrewall and IDS.....As luck would have it the IDS rep is coming today to talk to me about Symantec Manhunt, which exists on the system, however, no knows how to use it. Once again everyone is looking to me. I am almost certian it is monitoring from behind the firewall.

I want to setup the system so that there is an external sensor using SNORT and the internal is using Manhunt. There is an established DMZ and nating is being used.

If anyone has used these products or has suggestions on thier setup. Tiger shark you mentioned a secure server, which I want to put on a seperate switch with management connections to the Database server and analysts console.

With Snort I plan on using 2 interfaces, one for the Sniffing and one for the maintinance.

The system I use for Snort, which may be more than you want here but should help you get some things going is in a tutorial I wrote here

I can't help you with the Manhunt stuff 'cos I've never used it. I don't know why, but I used to like NAV and hate all their "add-on" stuff... now I'm no great proponent of NAV any more either... But that's a whole other story.

If you want some simple custom rules written or need anything else on what I do feel free to ask, I'm in and out of here all weekend - bloody addict I guess.

I, personally, would keep your secure server as just that - secure and single use. Only allow Terminal services to it from the network and only allow a single account to access it from the network. Use IP Filtering to block all other connections. Use a different box for your log server.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides